I track people who are disrupting the world of mobile technology. Non-conformists, innovators and agitators are this blog's unsung heroes, from entrepreneurs to scientists, to rebellious hackers. I'm the author of "We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous and the Global Cyber Insurgency", (Little Brown, 2012) which The New York Times called a "lively, startling book that reads as 'The Social Network' for group hackers." I recently relocated to Forbes' San Francisco office, and was previously Forbes' London bureau chief from 2008-12, interviewing British billionaires like Philip Green and controversial figures like Mohammed Al Fayed; I wrote last year's billionaires cover story on Russia's Yuri Milner, and have broken stories like the Facebook-Spotify partnership in 2011. Before all this I had stints at the BBC and as a radio journalist. You can watch me on 'The Daily Show' here. If you have a story idea or tip, e-mail me at polson@forbes.com or follow me on Twitter: parmy.

iPad Hacker Gears Up For Prison, Foresees Revolution

Andrew Aurenheimer has yet to hear his fate, but there’s every chance he’ll have to spend the next two-to-15 years behind bars.

Last year, he and another friend from the hacker group Goatse Security found a vulnerability in AT&T’s website for iPad owners. The hole exposed details of more than 114,000 customers who used the iPad, and Auernheimer, who also goes by the online nickname weev, notified AT&T then passed the details on to Gawker. A week after Gawker published a story on the breach, weev was arrested and charged with drug possession. Then earlier this month, a grand jury in New Jersey indicted him for gaining unauthorised access to computers and identity theft, in relation to the AT&T breach. The indictment was a surprise to weev and his hacker friends, but in the recent global crackdown on cyber punks it’s nothing new.

Last week police arrested 21 individuals across the U.S. and Europe who had dabbled in cyber attacks of some kind. Fourteen aligned themselves with the hacktivist and trolling movement Anonymous and its December attacks on PayPal. Another four from the Netherlands, two Americans and one Briton were arrested on suspicion of taking part in other attacks against organizations and companies. The 16-year-old Briton who is thought to have been a core member of the hacker group LulzSec, was released on bail last week pending further questioning.

Hackers like weev, LulzSec and those supporting Anonymous are more a nuisance to law enforcement than the more serious threat posed by fraudsters, card scammers and other cyber criminals. Still, weev sees the recent disruptions by hacktivists like himself as the start of a broader trend towards some sort of uprising against those in authority and with money, using the Internet as a Wild West-type landscape for causing disruption.

“I look at it like the precursor to revolution. I really think this is throwing tea in the bay,” he told me by phone when I caught up with him last week. “I’m tired of seeing a financial industry suck at the trough of 401K’s, looting my nation and leaving us a third-world country.” Weev accepts the description of hacktivist though he rejects hacker. “What I do never involves hacking. It just involves public records,” he says, noting that he accessed the AT&T vulnerability via a public web server.

“There was no password, no firewall, no breaking or entering. All I did was inform people that AT&T had put them at risk.” It was all part of Aurenheimer’s attempt to make a name for himself in the security industry and, according to his open letter to AT&T “as a service to our nation.” (Last summer TechCrunch agreed, and awarded Goatse a Crunchie Award for public service.) He says prosecutors have used chat logs that show him musing about exploiting the iPad data for phishing as evidence of malicious intent, when he was actually laying out reasons why people were at risk.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Comments

I think the important part is intent. It appears from this article that Aurenheimer really had no malicious intent. If we jail people who find security holes to bring them to peoples attention, then the only ones who will find these holes are those who do wish to exploit them.

The issue is that the job of a DA is to prosecute for a conviction, not to judge the culpability of the suspect. I really have to question here if real justice is being served. (All this assuming, of course, that the impression given here is accurate.)

It’s unfortunate that he could be facing YEARS in jail for pointing out a security flaw. I especially love that he can be jailed, but AT&T and Apple get off (relatively) scott free for exposing the personal information of their customers. Could Apple and AT&T become the new Sony?

Speaking of terribad security, Forbes should really L2SSL. The only thing that surprised me more than seeing you display my username/password in plaintext when I clicked the confirmation link in the Email was that the login itself is over HTTP, not HTTPS. I know, I know, bandwidth is expensive… and security is hard… /sigh.